Seems like server denies tls negotiation from the wireshark output but I fail to see why from the code. It is based on code that worked, only it was deprecated and I therefore update with new API. The code is to get started. Need to use real certificates. Does anyone see why the server sends tcp FIN, ACK?
I have this server code:
ServerBootstrap sbssl = new ServerBootstrap();
bossGroupSsl = new NioEventLoopGroup(1);
workerGroupSsl = new NioEventLoopGroup();
sbssl.group(bossGroupSsl, workerGroupSsl).option(ChannelOption.SO_RCVBUF, 8192).handler(new LoggingHandler(LogLevel.DEBUG))
.option(ChannelOption.RCVBUF_ALLOCATOR, new FixedRecvByteBufAllocator(8192))
.channel(NioServerSocketChannel.class)
.childHandler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel ch) throws Exception {
ChannelPipeline cp = ch.pipeline();
SelfSignedCertificate cert = new SelfSignedCertificate();
SslContext cont2 = SslContextBuilder.forServer(cert.privateKey(), cert.certificate()).build();
SSLEngine engine = cont2.newEngine(ch.alloc());
cp.addLast("ssl", new SslHandler(engine));
and this client code:
Bootstrap b = new Bootstrap();
group = new NioEventLoopGroup();
Log.d(RegisterAttemptSSL.class.getName(), "connecting");
InetSocketAddress ria = new InetSocketAddress(toHostname, portDestination);
b.group(group).channel(NioSocketChannel.class).option(ChannelOption.IP_TOS, 24)
.remoteAddress(ria).handler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel ch) throws Exception {
SslContext cont2 = SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE).build();
SSLEngine engine = cont2.newEngine(ch.alloc(), toHostname, portDestination);
engine.setEnabledProtocols(new String[] {"TLSv1.2"});
ch.pipeline().addLast(new SslHandler(engine, false));
Resulting in this wireshark:
21 16.840654 10.1.10.100 10.1.10.203 TCP 74 4683 → 5061 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=62567382 TSecr=0 WS=256
22 16.840931 IntelCor_25:1d:fc Broadcast ARP 42 Who has 10.1.10.100? Tell 10.1.10.203
23 16.856111 SonyMobi_7f:55:af IntelCor_25:1d:fc ARP 42 10.1.10.100 is at 84:c7:ea:7f:55:af
24 16.856198 10.1.10.203 10.1.10.100 TCP 74 5061 → 4683 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=46199014 TSecr=62567382
25 16.859326 10.1.10.100 10.1.10.203 TCP 66 4683 → 5061 [ACK] Seq=1 Ack=1 Win=87808 Len=0 TSval=62567385 TSecr=46199014
26 16.872274 10.1.10.100 10.1.10.203 TLSv1 179 Client Hello
27 16.964375 10.1.10.203 10.1.10.100 TCP 66 5061 → 4683 [FIN, ACK] Seq=1 Ack=114 Win=66560 Len=0 TSval=46199026 TSecr=62567387
28 16.965112 10.1.10.203 10.1.10.100 TCP 54 5061 → 4683 [RST, ACK] Seq=2 Ack=114 Win=0 Len=0
netty 4.1.18.Final Win 7 jdk 8
With this code on server side it works except for channelReadComplete beeing triggered without channelRead0 of the next handler beeing triggered first one extra time. Same handler is used for regular tcp and works fine without this quirk. On client side there is a nullpointer but the business logic is not affected.
ServerBootstrap sbssl = new ServerBootstrap();
bossGroupSsl = new NioEventLoopGroup(1);
workerGroupSsl = new NioEventLoopGroup();
sbssl.group(bossGroupSsl, workerGroupSsl).option(ChannelOption.SO_RCVBUF, 8192)
.option(ChannelOption.RCVBUF_ALLOCATOR, new FixedRecvByteBufAllocator(8192))
.channel(NioServerSocketChannel.class).handler(new LoggingHandler(LogLevel.DEBUG))
.childHandler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel ch) throws Exception {
ChannelPipeline cp = ch.pipeline();
SelfSignedCertificate cert = new SelfSignedCertificate();
SslContext cont = SslContext.newServerContext(cert.certificate(), cert.privateKey());
cp.addLast("ssl", cont.newHandler(ch.alloc()));
01-26 15:34:34.546 31823-31856/no.tobiassenit.sipclient W/System.err: io.netty.handler.codec.DecoderException: java.lang.NullPointerException: ssl == null 01-26 15:34:34.546 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) 01-26 15:34:34.546 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) 01-26 15:34:34.546 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) 01-26 15:34:34.546 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) 01-26 15:34:34.546 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) 01-26 15:34:34.546 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:141) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at java.lang.Thread.run(Thread.java:764) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: Caused by: java.lang.NullPointerException: ssl == null 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at com.android.org.conscrypt.NativeCrypto.SSL_pending_readable_bytes(Native Method) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at com.android.org.conscrypt.OpenSSLEngineImpl.pendingInboundCleartextBytes(OpenSSLEngineImpl.java:491) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at com.android.org.conscrypt.OpenSSLEngineImpl.unwrap(OpenSSLEngineImpl.java:679) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at com.android.org.conscrypt.OpenSSLEngineImpl.unwrap(OpenSSLEngineImpl.java:630) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at com.android.org.conscrypt.OpenSSLEngineImpl.unwrap(OpenSSLEngineImpl.java:596) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:292) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1248) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1159) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1194) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) 01-26 15:34:34.547 31823-31856/no.tobiassenit.sipclient W/System.err: ... 16 more
Seems the problem occurs even though the new api is not used - just activating the classes is enough. So this works:Seems the problem occurs even though the new api is not used - just activating the classes is enough. So this works:
SelfSignedCertificate cert = new SelfSignedCertificate();
SslContext cont = SslContext.newServerContext(cert.certificate(), cert.privateKey());
//SslContext cont2 = SslContextBuilder.forServer(cert.privateKey(), cert.certificate()).build();
//SSLEngine engine = cont2.newEngine(ch.alloc());
//engine.setUseClientMode(true);;
//cp.addFirst("ssl", new SslHandler(engine));
cp.addFirst("ssl", cont.newHandler(ch.alloc()));
while this does not (tcp fin, ack):
SelfSignedCertificate cert = new SelfSignedCertificate();
SslContext cont = SslContext.newServerContext(cert.certificate(), cert.privateKey());
SslContext cont2 = SslContextBuilder.forServer(cert.privateKey(), cert.certificate()).build();
SSLEngine engine = cont2.newEngine(ch.alloc());
//cp.addFirst("ssl", new SslHandler(engine));
cp.addFirst("ssl", cont.newHandler(ch.alloc()));
